US20220269827A1 - Detection of a netlist version in a security chip - Google Patents
Detection of a netlist version in a security chip Download PDFInfo
- Publication number
- US20220269827A1 US20220269827A1 US17/636,831 US202017636831A US2022269827A1 US 20220269827 A1 US20220269827 A1 US 20220269827A1 US 202017636831 A US202017636831 A US 202017636831A US 2022269827 A1 US2022269827 A1 US 2022269827A1
- Authority
- US
- United States
- Prior art keywords
- security chip
- configuration registers
- host
- accesses
- appliance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title description 2
- 230000004044 response Effects 0.000 claims abstract description 6
- 238000000034 method Methods 0.000 claims description 29
- 238000012545 processing Methods 0.000 claims description 25
- 230000015654 memory Effects 0.000 description 13
- 238000004891 communication Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000007274 generation of a signal involved in cell-cell signaling Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000002604 ultrasonography Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/36—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols with means for detecting characters not meant for transmission
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/76—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
Definitions
- FIG. 1 is a block diagram of the key functional components of a system where a host processor within an appliance communicates with a consumable device containing a security chip, in accordance with some embodiments of the present disclosure.
- FIG. 2 is an example implementation of a security chip, in accordance with an embodiment of the present disclosure.
- FIG. 3 is an example implementation of an evaluation module in a host processor within an appliance, in accordance with an embodiment of the present disclosure.
- FIG. 4 is a flow diagram of an example method describing operations of a security chip with a pattern detector circuit, in accordance with some embodiments of the present disclosure.
- FIG. 5 illustrates a block diagram of a sample computer system in which some embodiments of the disclosure may operate.
- aspects of the present disclosure are directed to monitoring an intended hardware configuration in a security chip that is physically connected to a consumable device or an article which is functionally coupled to an appliance.
- the security chip communicates with a host processor in the appliance, and the host can read a value indicative of a current version of netlist in the security chip if a plurality of configuration registers in the security chip are accessed in a correct sequence, as detected by a pattern detector circuit in the security chip.
- the host processor within the appliance may communicate with the security chip for a variety of reasons, including but not limited to configuring the operation of the consumable device, confirming the operational readiness of the consumable device, ensuring that the consumable device is compatible with the appliance, etc.
- a netlist textually describes interconnection between various hardware components to be implemented in a chip. For example, in case of a circuit built with a plurality of logic gates, the netlist describes the logical gate instances and the connections between them. In essence, a netlist is a fingerprint of the hardware design version used in a particular chip. When a chip contains a functional error within the netlist, it is often more economical to update the host software to work around the error with specialized software, rather than update the chip to repair the error. When there are many possible versions of a chip that the host software needs to be compatible with, it is useful to provide the host with a netlist version value, so that the software can correctly interact with the chip.
- the challenge is to provide a means by which a host can readily obtain the current version of the netlist from a security chip in the consumable device to the host, while at the same time obscuring that value from potential adversaries.
- the pattern detector circuit in a security chip can detect a target pattern (e.g., a correct sequence of access of a plurality of configuration registers) and generate a target value based on the target pattern.
- a specific configuration register can be updated with the target value that indicates the netlist-version value.
- FIG. 1 illustrates the main components of system having an appliance 105 and a consumable device 118 , in accordance with some aspects of the present disclosure.
- a host processor 110 in the appliance 105 sends a read request 115 to an interface circuit of a security chip 120 attached to the consumable device 118 , and receives a response 116 .
- Security chip 120 may generate a netlist-version string by a special circuit (such as a pattern detector circuit 230 shown in FIG. 2 ) when certain conditions are met.
- Host processor 110 may be implemented as a standalone chip or as software executed by a processor in a host (e.g., a central processing unit (CPU) of the host, or an application processor). Based on the received response 116 , host processor 110 can, in an embodiment, determine the netlist version of the security chip and adjust its software execution accordingly.
- CPU central processing unit
- FIG. 2 illustrates an example implementation of an interface circuit of a security chip 220 .
- the security chip may be a part of a consumable device that is required to be compatible with a specific host contained within a specific appliance.
- the consumable device may be an ink cartridge or a toner cartridge for a printer that houses the host.
- the consumable device may be a disposable medical sensor (e.g., an ultrasound transducer) for a medical diagnostic equipment that houses the host.
- the consumable device may be a rechargeable battery, and the battery recharger houses the host.
- the consumable device may be an automotive component (e.g., a headlight assembly, an airbag module, a sensor module, etc.) within an advanced driver assist system that comprises the host.
- the host may need to adjust its interaction with the security chip, depending on the netlist version of the security chip disposed on the consumable device.
- Security chip 220 may have an interface arbiter 226 for handling communication with the host using a specific communication protocol, such as inter-integrated-circuit (I 2 C) protocol.
- Interface arbiter 226 may receive communication from the host from an electrical interface 225 .
- Interface 225 may be an I 2 C interface, which is a synchronous serial computer bus that is used for attaching peripheral ICs to processors and microcontrollers in short distance communication.
- Interface 225 can handle all communication to/from the host, and route the signals within the security chip via the interface arbiter 226 .
- Security chip 220 may also have a plurality of configuration registers 228 , and each configuration register is associated with a corresponding address.
- Configuration registers can be programmed during manufacturing with information specific to the consumable device to which it will be attached, e.g., what the model number of the consumable device is.
- the configuration registers can further be read or written based on host communication. For example, a read request may specify an address of a certain configuration register that has a value pertaining to the operational status of the consumable device (e.g., is the consumable ready for operation, is it busy with an operation, or did a previous operation result in an error).
- a reset operation may be initiated by writing to a certain configuration register whose address is specified in the host-initiated request.
- Interface arbiter 226 may mediate access to one or more configuration registers in a particular sequence.
- a value may become readable by the host at a certain configuration register.
- the value may comprise a binary string that indicates a netlist version.
- the binary string is referred to as a “netlist-version string,” as described below.
- Security chip 220 also includes a pattern detector circuit 230 .
- Pattern detector circuit 230 is coupled to the plurality of configuration registers 228 . Pattern detector circuit 230 receives as an input the signal 227 between interface arbiter 226 and the configuration registers 228 . This implies that the pattern detector circuit 230 can monitor access traffic between interface arbiter 226 and the configuration registers 228 , looking for a predetermined sequence that generates a target pattern. If a target pattern in the traffic between interface arbiter 226 and the configuration registers 228 is matched, a special configuration register can be updated with a specific value.
- the pattern detector circuit updates a configuration register D with a specific value (“netlist-version string”) indicating the correct netlist-version.
- network-version string a specific value
- the configuration register D is updated with a string of zeroes, referred to as 0-string, or, a string different than the correct netlist-version string (e.g., a string of random or pseudorandom values).
- the pattern detector circuit will additionally monitor for read or write operations for each access.
- the pattern detector circuit updates a configuration register D with a specific value (“netlist-version string”) indicating the correct netlist-version.
- Pattern detector circuit 230 comprises a processor or processing circuit (not shown) that can calculate or otherwise provide the netlist-version string or the 0-string based on a matching or not-matching sequence of access of the plurality of configuration registers, using a pattern matching algorithm.
- a processor or processing circuit not shown
- the plurality of configuration registers is much larger, typically at least between 8 and 32 registers.
- the netlist-version string may be readily obtained by a processing host which requires the value (e.g., to configure its software execution), while at the same time obscuring the value from potential security adversaries.
- Table I Value at a Specific Configuration Register Address Based on Sequence of Accesses of a Plurality of Configuration Registers
- FIG. 3 illustrates an example implementation of an evaluation module 310 in a host.
- the evaluation module 310 may have an interface 312 to send requests (e.g., a request to read data loaded at a particular configuration register address) to a security chip, and to receive responses from the security chip.
- Evaluation module 310 may have (or cause to be executed within a processing host) netlist-version evaluation software 334 , which, when executed by a processor, is configured to issue a sequence of configuration register operations that will obtain the netlist-version value from the security chip.
- FIG. 4 is a flow diagram of an example method 400 performed by a security chip during a configuration register access process, in accordance with some aspects of the present disclosure.
- the method 400 may be performed by processing logic that may include hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.
- the method 400 may be performed by various components of the security chip 220 shown in FIG. 2 .
- a pattern detector circuit is provided in a security chip.
- the pattern detector circuit may be a logic circuit described in FIG. 2 as element 230 .
- the pattern detector circuit may be a modified version of a communication protocol monitoring circuit, i.e. the communication protocol monitoring circuit may be modified by including a pattern detection logic circuit.
- the security chip receives a predefined sequence of accesses of a plurality of configuration registers for one or more operations to the plurality of configuration registers.
- the one or more operations may be read operation only, write operation only or a combination of read and write operations.
- the sequence of access is received by interface 225 that routes the request to interface arbiter 226 .
- the sequence of accesses may depend on the communication protocol (e.g., I 2 C protocol).
- interface arbiter 226 shown in FIG. 2 may manage the sequence of accesses of the configuration registers 228 , whose addresses are specified in the incoming request.
- a processing circuit in the pattern detector circuit calculates or otherwise provides a value that indicates a current version of the netlist. This value, referred to as the netlist-version string, is calculated based on the sequence of accesses of various configuration registers.
- the calculated value is made available to be obtained by the host by a read operation at a specific configuration register address. For example, as shown in the Table I, if configuration registers A, B, and C are accessed in a certain sequence and with certain read/write operations, the correct netlist-version string will be available via a read of configuration register D, which can be obtained by the host.
- FIG. 5 illustrates an example machine of a computer system 500 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed.
- the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, and/or the Internet.
- the machine may operate in the capacity of a server or a client machine in client-server network environment, as a peer machine in a peer-to-peer (or distributed) network environment, or as a server or a client machine in a cloud computing infrastructure or environment.
- the machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
- PC personal computer
- PDA Personal Digital Assistant
- STB set-top box
- STB set-top box
- a cellular telephone a web appliance
- server a server
- network router a network router
- switch or bridge any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
- machine shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
- the example computer system 500 includes a processing device 502 , a main memory 504 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.), a static memory 506 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 518 , which communicate with each other via a bus 530 .
- processing device 502 may be a processor in the pattern detector circuit 230 in FIG. 2 .
- Processing device 502 represents one or more general-purpose processing devices such as a microprocessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 502 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 502 is configured to execute instructions 526 for performing the operations and steps discussed herein.
- CISC complex instruction set computing
- RISC reduced instruction set computing
- VLIW very long instruction word
- ASIC application specific integrated circuit
- FPGA field programmable gate array
- DSP digital signal processor
- network processor or the like.
- the processing device 502 is configured to execute instructions 526 for performing the operations and steps discussed here
- the computer system 500 may further include a network interface device 508 to communicate over the network 520 .
- the computer system 500 also may include a video display unit 510 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 512 (e.g., a keyboard), a cursor control device 514 (e.g., a mouse), a graphics processing unit 522 , a signal generation device 516 (e.g., a speaker), video processing unit 528 , and audio processing unit 532 .
- a video display unit 510 e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)
- an alphanumeric input device 512 e.g., a keyboard
- a cursor control device 514 e.g., a mouse
- graphics processing unit 522 e.g., a graphics processing unit 522
- signal generation device 516 e.
- the data storage device 518 may include a machine-readable storage medium 524 (also known as a computer-readable medium) on which is stored one or more sets of instructions or software 526 embodying any one or more of the methodologies or functions described herein.
- the instructions 526 may also reside, completely or at least partially, within the main memory 504 and/or within the processing device 502 during execution thereof by the computer system 500 , the main memory 504 and the processing device 502 also constituting machine-readable storage media.
- the instructions 526 include instructions to implement functionality of pattern detector circuit 230 in FIG. 2 .
- the machine-readable storage medium 524 is shown in an example implementation to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions.
- the term “machine-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure.
- the term “machine-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media.
- the present disclosure also relates to an apparatus for performing the operations herein.
- This apparatus may be specially constructed for the intended purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer.
- a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.
- the present disclosure may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure.
- a machine-readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer).
- a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium such as a read only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory devices, etc.
Abstract
Description
- The present disclosure will be understood more fully from the detailed description given below and from the accompanying drawings of various implementations of the disclosure.
-
FIG. 1 is a block diagram of the key functional components of a system where a host processor within an appliance communicates with a consumable device containing a security chip, in accordance with some embodiments of the present disclosure. -
FIG. 2 is an example implementation of a security chip, in accordance with an embodiment of the present disclosure. -
FIG. 3 is an example implementation of an evaluation module in a host processor within an appliance, in accordance with an embodiment of the present disclosure. -
FIG. 4 is a flow diagram of an example method describing operations of a security chip with a pattern detector circuit, in accordance with some embodiments of the present disclosure. -
FIG. 5 illustrates a block diagram of a sample computer system in which some embodiments of the disclosure may operate. - Aspects of the present disclosure are directed to monitoring an intended hardware configuration in a security chip that is physically connected to a consumable device or an article which is functionally coupled to an appliance. The security chip communicates with a host processor in the appliance, and the host can read a value indicative of a current version of netlist in the security chip if a plurality of configuration registers in the security chip are accessed in a correct sequence, as detected by a pattern detector circuit in the security chip. The host processor within the appliance may communicate with the security chip for a variety of reasons, including but not limited to configuring the operation of the consumable device, confirming the operational readiness of the consumable device, ensuring that the consumable device is compatible with the appliance, etc.
- A netlist textually describes interconnection between various hardware components to be implemented in a chip. For example, in case of a circuit built with a plurality of logic gates, the netlist describes the logical gate instances and the connections between them. In essence, a netlist is a fingerprint of the hardware design version used in a particular chip. When a chip contains a functional error within the netlist, it is often more economical to update the host software to work around the error with specialized software, rather than update the chip to repair the error. When there are many possible versions of a chip that the host software needs to be compatible with, it is useful to provide the host with a netlist version value, so that the software can correctly interact with the chip. In the case of a security chip, however, revealing the netlist version value to an adversary could help facilitate an attack. The challenge is to provide a means by which a host can readily obtain the current version of the netlist from a security chip in the consumable device to the host, while at the same time obscuring that value from potential adversaries.
- Aspects of this disclosure address the above and other challenges by providing a pattern detector circuit in the security chip attached to the consumable device that monitors the host's interaction with the security chip. The pattern detector circuit in a security chip can detect a target pattern (e.g., a correct sequence of access of a plurality of configuration registers) and generate a target value based on the target pattern. A specific configuration register can be updated with the target value that indicates the netlist-version value. When the host reads the netlist-version value at the specific configuration register, the host processor within the appliance can correctly interact with the security chip within then consumable device.
-
FIG. 1 illustrates the main components of system having anappliance 105 and aconsumable device 118, in accordance with some aspects of the present disclosure. Ahost processor 110 in theappliance 105 sends aread request 115 to an interface circuit of asecurity chip 120 attached to theconsumable device 118, and receives aresponse 116.Security chip 120 may generate a netlist-version string by a special circuit (such as apattern detector circuit 230 shown inFIG. 2 ) when certain conditions are met.Host processor 110 may be implemented as a standalone chip or as software executed by a processor in a host (e.g., a central processing unit (CPU) of the host, or an application processor). Based on the receivedresponse 116,host processor 110 can, in an embodiment, determine the netlist version of the security chip and adjust its software execution accordingly. -
FIG. 2 illustrates an example implementation of an interface circuit of asecurity chip 220. As mentioned above, the security chip may be a part of a consumable device that is required to be compatible with a specific host contained within a specific appliance. For example, the consumable device may be an ink cartridge or a toner cartridge for a printer that houses the host. In another example, the consumable device may be a disposable medical sensor (e.g., an ultrasound transducer) for a medical diagnostic equipment that houses the host. In another example, the consumable device may be a rechargeable battery, and the battery recharger houses the host. In another example, the consumable device may be an automotive component (e.g., a headlight assembly, an airbag module, a sensor module, etc.) within an advanced driver assist system that comprises the host. In each of these embodiments, the host may need to adjust its interaction with the security chip, depending on the netlist version of the security chip disposed on the consumable device. -
Security chip 220 may have aninterface arbiter 226 for handling communication with the host using a specific communication protocol, such as inter-integrated-circuit (I2C) protocol.Interface arbiter 226 may receive communication from the host from anelectrical interface 225.Interface 225 may be an I2C interface, which is a synchronous serial computer bus that is used for attaching peripheral ICs to processors and microcontrollers in short distance communication.Interface 225 can handle all communication to/from the host, and route the signals within the security chip via theinterface arbiter 226. -
Security chip 220 may also have a plurality ofconfiguration registers 228, and each configuration register is associated with a corresponding address. Configuration registers can be programmed during manufacturing with information specific to the consumable device to which it will be attached, e.g., what the model number of the consumable device is. The configuration registers can further be read or written based on host communication. For example, a read request may specify an address of a certain configuration register that has a value pertaining to the operational status of the consumable device (e.g., is the consumable ready for operation, is it busy with an operation, or did a previous operation result in an error). In another example, a reset operation may be initiated by writing to a certain configuration register whose address is specified in the host-initiated request.Interface arbiter 226 may mediate access to one or more configuration registers in a particular sequence. In one embodiment, a value may become readable by the host at a certain configuration register. The value may comprise a binary string that indicates a netlist version. The binary string is referred to as a “netlist-version string,” as described below. -
Security chip 220 also includes apattern detector circuit 230.Pattern detector circuit 230 is coupled to the plurality ofconfiguration registers 228.Pattern detector circuit 230 receives as an input thesignal 227 betweeninterface arbiter 226 and theconfiguration registers 228. This implies that thepattern detector circuit 230 can monitor access traffic betweeninterface arbiter 226 and theconfiguration registers 228, looking for a predetermined sequence that generates a target pattern. If a target pattern in the traffic betweeninterface arbiter 226 and theconfiguration registers 228 is matched, a special configuration register can be updated with a specific value. For example, if three configuration registers, A, B, and C are accessed in the correct sequence in accordance with the protocol in use, the pattern detector circuit updates a configuration register D with a specific value (“netlist-version string”) indicating the correct netlist-version. However, as shown in the examples in Table I below, if the sequence of access is different, then the configuration register D is updated with a string of zeroes, referred to as 0-string, or, a string different than the correct netlist-version string (e.g., a string of random or pseudorandom values). In other embodiments, in addition to monitoring the address pattern associated with the access, the pattern detector circuit will additionally monitor for read or write operations for each access. For example, if three configuration registers, A, B, and C are accessed in the correct predetermined sequence and with the correct predetermined read or write operation, the pattern detector circuit updates a configuration register D with a specific value (“netlist-version string”) indicating the correct netlist-version. -
Pattern detector circuit 230 comprises a processor or processing circuit (not shown) that can calculate or otherwise provide the netlist-version string or the 0-string based on a matching or not-matching sequence of access of the plurality of configuration registers, using a pattern matching algorithm. Note while the examples herein uses 4 registers A thru D, in practice the plurality of configuration registers is much larger, typically at least between 8 and 32 registers. Via this approach, the netlist-version string may be readily obtained by a processing host which requires the value (e.g., to configure its software execution), while at the same time obscuring the value from potential security adversaries. - Table I: Value at a Specific Configuration Register Address Based on Sequence of Accesses of a Plurality of Configuration Registers
- Sequence of accessing configuration registers Value at configuration register D Read A, write B, read A, read C, read D Correct netlist-version string Read A, read B, read A, read C, read D 0-string Read A, write B, write A, read C, read D 0-string Read A, write B, read A, write C, read D 0-string Write A, write B, read A, read C, read D 0-string
-
FIG. 3 illustrates an example implementation of anevaluation module 310 in a host. Theevaluation module 310 may have aninterface 312 to send requests (e.g., a request to read data loaded at a particular configuration register address) to a security chip, and to receive responses from the security chip.Evaluation module 310 may have (or cause to be executed within a processing host) netlist-version evaluation software 334, which, when executed by a processor, is configured to issue a sequence of configuration register operations that will obtain the netlist-version value from the security chip. -
FIG. 4 is a flow diagram of anexample method 400 performed by a security chip during a configuration register access process, in accordance with some aspects of the present disclosure. Themethod 400 may be performed by processing logic that may include hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof. In some embodiments, themethod 400 may be performed by various components of thesecurity chip 220 shown inFIG. 2 . - At
operation 410, a pattern detector circuit is provided in a security chip. The pattern detector circuit may be a logic circuit described inFIG. 2 aselement 230. In some embodiments, the pattern detector circuit may be a modified version of a communication protocol monitoring circuit, i.e. the communication protocol monitoring circuit may be modified by including a pattern detection logic circuit. - At
operation 420, the security chip receives a predefined sequence of accesses of a plurality of configuration registers for one or more operations to the plurality of configuration registers. The one or more operations may be read operation only, write operation only or a combination of read and write operations. In the example embodiment shown inFIG. 2 , the sequence of access is received byinterface 225 that routes the request to interfacearbiter 226. The sequence of accesses may depend on the communication protocol (e.g., I2C protocol). - At
operation 430, the plurality of configuration registers are accessed in the predefined sequence. In an embodiment,interface arbiter 226 shown inFIG. 2 may manage the sequence of accesses of the configuration registers 228, whose addresses are specified in the incoming request. - At
operation 440, a processing circuit in the pattern detector circuit calculates or otherwise provides a value that indicates a current version of the netlist. This value, referred to as the netlist-version string, is calculated based on the sequence of accesses of various configuration registers. - At
operation 450, the calculated value is made available to be obtained by the host by a read operation at a specific configuration register address. For example, as shown in the Table I, if configuration registers A, B, and C are accessed in a certain sequence and with certain read/write operations, the correct netlist-version string will be available via a read of configuration register D, which can be obtained by the host. - Persons skilled in the art will understand that although the flow diagram in
FIG. 4 shows a particular sequence or order, unless otherwise specified, the order of the processes can be modified. Thus, the illustrated embodiments should be understood only as examples, and the illustrated processes can be performed in a different order, and some processes can be performed in parallel. Additionally, one or more processes can be omitted in various embodiments. Thus, not all processes are required in every embodiment. Other process flows are possible. -
FIG. 5 illustrates an example machine of acomputer system 500 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed. In alternative implementations, the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, and/or the Internet. The machine may operate in the capacity of a server or a client machine in client-server network environment, as a peer machine in a peer-to-peer (or distributed) network environment, or as a server or a client machine in a cloud computing infrastructure or environment. - The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
- The
example computer system 500 includes aprocessing device 502, a main memory 504 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.), a static memory 506 (e.g., flash memory, static random access memory (SRAM), etc.), and adata storage device 518, which communicate with each other via abus 530. In one implementation,processing device 502 may be a processor in thepattern detector circuit 230 inFIG. 2 . -
Processing device 502 represents one or more general-purpose processing devices such as a microprocessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets.Processing device 502 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. Theprocessing device 502 is configured to executeinstructions 526 for performing the operations and steps discussed herein. - The
computer system 500 may further include a network interface device 508 to communicate over thenetwork 520. Thecomputer system 500 also may include a video display unit 510 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 512 (e.g., a keyboard), a cursor control device 514 (e.g., a mouse), agraphics processing unit 522, a signal generation device 516 (e.g., a speaker),video processing unit 528, andaudio processing unit 532. - The
data storage device 518 may include a machine-readable storage medium 524 (also known as a computer-readable medium) on which is stored one or more sets of instructions orsoftware 526 embodying any one or more of the methodologies or functions described herein. Theinstructions 526 may also reside, completely or at least partially, within themain memory 504 and/or within theprocessing device 502 during execution thereof by thecomputer system 500, themain memory 504 and theprocessing device 502 also constituting machine-readable storage media. - In one implementation, the
instructions 526 include instructions to implement functionality ofpattern detector circuit 230 inFIG. 2 . While the machine-readable storage medium 524 is shown in an example implementation to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term “machine-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure. The term “machine-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media. - Some portions of the preceding detailed descriptions have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of operations leading to a desired result. The operations are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
- It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as “identifying” or “determining” or “executing” or “performing” or “collecting” or “creating” or “sending” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage devices.
- The present disclosure also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the intended purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.
- The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the method. The structure for a variety of these systems will appear as set forth in the description below. In addition, the present disclosure is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the disclosure as described herein.
- The present disclosure may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure. A machine-readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium such as a read only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory devices, etc.
- In the foregoing specification, implementations of the disclosure have been described with reference to specific example implementations thereof. It will be evident that various modifications may be made thereto without departing from the broader spirit and scope of implementations of the disclosure as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/636,831 US11868512B2 (en) | 2019-09-06 | 2020-09-04 | Detection of a netlist version in a security chip |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201962897177P | 2019-09-06 | 2019-09-06 | |
US17/636,831 US11868512B2 (en) | 2019-09-06 | 2020-09-04 | Detection of a netlist version in a security chip |
PCT/US2020/049505 WO2021046420A1 (en) | 2019-09-06 | 2020-09-04 | Detection of a netlist version in a security chip |
Publications (2)
Publication Number | Publication Date |
---|---|
US20220269827A1 true US20220269827A1 (en) | 2022-08-25 |
US11868512B2 US11868512B2 (en) | 2024-01-09 |
Family
ID=74852248
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/636,831 Active 2040-09-12 US11868512B2 (en) | 2019-09-06 | 2020-09-04 | Detection of a netlist version in a security chip |
Country Status (2)
Country | Link |
---|---|
US (1) | US11868512B2 (en) |
WO (1) | WO2021046420A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060059345A1 (en) * | 2004-09-10 | 2006-03-16 | International Business Machines Corporation | System and method for providing dynamically authorized access to functionality present on an integrated circuit chip |
US20070247936A1 (en) * | 2006-04-20 | 2007-10-25 | Texas Instruments Incorporated | Flexible and efficient memory utilization for high bandwidth receivers, integrated circuits, systems, methods and processes of manufacture |
US20080154251A1 (en) * | 2004-09-09 | 2008-06-26 | Reliant Technologies, Inc. | Interchangeable Tips for Medical Laser Treatments and Methods for Using Same |
US9413356B1 (en) * | 2013-12-11 | 2016-08-09 | Marvell International Ltd. | Chip or SoC including fusible logic array and functions to protect logic against reverse engineering |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7656184B2 (en) | 2005-12-30 | 2010-02-02 | Intel Corporation | Detecting counterfeit products |
US9536112B2 (en) | 2011-06-13 | 2017-01-03 | Stmicroelectronics Asia Pacific Pte Ltd. | Delaying or deterring counterfeiting and/or cloning of a component |
US10184980B2 (en) | 2016-09-06 | 2019-01-22 | Texas Instruments Incorporated | Multiple input signature register analysis for digital circuitry |
-
2020
- 2020-09-04 WO PCT/US2020/049505 patent/WO2021046420A1/en active Application Filing
- 2020-09-04 US US17/636,831 patent/US11868512B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080154251A1 (en) * | 2004-09-09 | 2008-06-26 | Reliant Technologies, Inc. | Interchangeable Tips for Medical Laser Treatments and Methods for Using Same |
US20060059345A1 (en) * | 2004-09-10 | 2006-03-16 | International Business Machines Corporation | System and method for providing dynamically authorized access to functionality present on an integrated circuit chip |
US20070247936A1 (en) * | 2006-04-20 | 2007-10-25 | Texas Instruments Incorporated | Flexible and efficient memory utilization for high bandwidth receivers, integrated circuits, systems, methods and processes of manufacture |
US9413356B1 (en) * | 2013-12-11 | 2016-08-09 | Marvell International Ltd. | Chip or SoC including fusible logic array and functions to protect logic against reverse engineering |
Also Published As
Publication number | Publication date |
---|---|
US11868512B2 (en) | 2024-01-09 |
WO2021046420A1 (en) | 2021-03-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Gitter et al. | Linking the signaling cascades and dynamic regulatory networks controlling stress responses | |
US20060123223A1 (en) | Persistent memory manipulation using EFI | |
JP7058302B2 (en) | Hybrid test system launched by a vulnerability for an application program | |
US11686767B2 (en) | System, apparatus and method for functional testing of one or more fabrics of a processor | |
CN103890733A (en) | Method and apparatus for injecting errors into memory | |
CN107783844A (en) | A kind of computer program operation exception detection method, device and medium | |
US10552280B2 (en) | In-band monitor in system management mode context for improved cloud platform availability | |
Memeti et al. | A machine learning approach for accelerating DNA sequence analysis | |
CN115967618A (en) | Multi-project BMC (baseboard management controller) sensor configuration management method and device | |
US20170289300A1 (en) | Method and apparatus to coordinate and authenticate requests for data | |
US10540193B2 (en) | Software-defined microservices | |
Hernandez et al. | Protein complex prediction via dense subgraphs and false positive analysis | |
US10108513B2 (en) | Transferring failure samples using conditional models for machine condition monitoring | |
US20220269827A1 (en) | Detection of a netlist version in a security chip | |
US20200364104A1 (en) | Identifying a problem based on log data analysis | |
CN110389787A (en) | Application processor, system on chip and the method for guiding equipment | |
EP3343428A1 (en) | Architecture for telemetry and adaptive lifetime control of integrated circuits | |
US20230004854A1 (en) | Asynchronous edge-cloud machine learning model management with unsupervised drift detection | |
CN115910234A (en) | Complex ligand binding position evaluation method, complex ligand binding position evaluation device and computer equipment | |
CN114461274A (en) | Instruction processing apparatus, method, chip, computer device, and storage medium | |
CN108345791A (en) | Processor security detection method, system and detection device | |
US8964580B2 (en) | Device topology and capability discovery and reporting techniques | |
EP4296914A1 (en) | Information processing device and program | |
Luo et al. | Deciphering signaling specificity with interpretable deep neural networks | |
US20220374528A1 (en) | Evaluation apparatus, evaluation system, evaluation method, and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: CRYPTOGRAPHY RESEARCH, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BEST, SCOTT C;RODGERS, CHRISTOPHER LEIGH;REEL/FRAME:059075/0387 Effective date: 20190918 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |